From Prevention to Detection: A Paradigm Shift in Enterprise Network Security

While the technology used by enterprises to protect against today’s advanced threats is quite complex, understanding the essence of what the technology does shouldn’t be complicated at all. Rather, it should be refreshingly simple and easy to grasp- both by CISOs, who are tasked with keeping their network safe, and CFOs, who hold the “purse strings” and need to justify the investment.

Fortunately, human beings have a method for explaining complicated things in a way that is “refreshingly simple” and “easy to grasp”. Of course, I’m talking about a metaphor. And it’s through a metaphor that we can cut through the layers of confusion that continue to prevent many enterprises from understanding what their current network security solution can – and more importantly, cannot – do to keep them safe.

Our metaphor begins with a typical office in a typical city. To prevent criminals from breaking in and committing industrial espionage, the office has strong doors with secure locks. And on top of this, let’s add a security guard, and give him a list of known suspects. At a glance, this seems like a comprehensive security system, and one that should be capable of keeping would-be criminals at bay. Unfortunately, a closer look reveals that it’s hardly impenetrable.

We all know that skilled criminals can pick almost any lock, and that they’re adept at being unseen. So there goes our strong door and lock, along with our security guard and his list of known suspects useless. What’s more, if the criminal knows someone on the inside who is willing to unlock a window, hand over their keycard or passcode, or in some other way compromise the office’s security, then the question isn’t whether a break-in will occur, but when.

Frankly, this closer look at what seemed like a comprehensive security system is unsettling. But in my view, it’s not nearly as jarring as the fact that many enterprises are at this very moment exposing their network to glaring threats when, like our metaphorical office, they focus exclusively on perimeter security and ignore what goes on beyond their network and “behind the scenes”.

In fact, enterprises that rely only on prevention-focused perimeter security tools -- which is typically comprised of anti-virus products, next generation firewalls, IPS and secure web gateways -- are actually positioning themselves to be the next victims of cyber criminals who “specialize” (for lack of a better word) in getting past perimeter security defenses, so they can deploy covert APTs and other advanced threats.

What’s more, such an attack can last weeks, months or even years before it’s spotted by an enterprise, and it’s often irate customers, concerned law enforcement officials, or terrified employees who sound the alarm bells.

So, while still being a critical piece of the overall puzzle, what can enterprises do when their perimeter security cannot prevent 100% of the advanced threats? Fortunately, this is where the bleak story brightens.

Just like an office that wisely implements a motion detection alarm to identify actual break-ins, and trains its security guard to look for suspicious behaviors rather than just for specific individuals, enterprises can quickly, simply, and cost-effectively augment their perimeter security with technology that lets them:

·Identify compromised devices of both local and remote employees

·Detect the onslaught of completely new and unknown malware, along with new variants of known malware, that are engineered to evade signature-based security products

·Use Big Data Analytics to look into their corporate network traffic for signs of unauthorized or suspicious activity

·Automatically integrate detection results with their on-premises network devices through a secure API, so they can take swift, focused action before the damage to their systems and reputation occurs

Ultimately, it comes down to this: just as offices need to detect break-ins to keep criminals from committing industrial espionage, enterprises need to put more focus on detecting APTs and other advanced threats to keep adversaries from penetrating their network.

This shift of focus from prevention to detection is more than just a change of course. Given the ever-worsening cyber threat landscape, coupled with the enormous strategic and financial value of intellectual property, it’s a view more and more enterprises today understand that they must adopt.

Aviv Raff is Co-Founder and Chief Technology Officer at Seculert. He is responsible for the fundamental research and design of Seculert’s core technology and brings with him over 10 years of experience in leading software development and security research teams. Prior to Seculert, Aviv established and managed RSA’s FraudAction Research Lab, as well as working as a senior security researcher at Finjan’s Malicious Code Research Center. Before joining Finjan, Aviv led software development teams at Amdocs. He holds a B.A. in Computer Science and Business Management from the Open University (Israel).